Cisco Nexus 1000V Release Notes, Release 4.0(4)SV1(3)

Updated: July 22, 2013

OL-21663-01-E0

This document describes the features, limitations, and caveats for the Cisco Nexus 1000V Release 4.0(4)SV1(3) software. Use this document in combination with documents listed in the "Available Documents" section. The following is the change history for this document.

Introduction

The Cisco Nexus 1000V provides a distributed, layer 2 virtual switch that extends across many virtualized hosts. The Cisco Nexus 1000V manages a data center defined by the vCenter Server. Each server in the data center is represented as a line card in Cisco Nexus 1000V and can be managed as if it were a line card in a physical Cisco switch.

New Software Features

Port Profile System MTU Setting for Uplinks

The system mtu command was introduced to configure an MTU of other than 1500 (the default) for system uplink port profiles. If you use an MTU size of other than 1500 (the default), for example, if you use jumbo frames, an ESX reboot will revert the setting on the physical NIC to 1500. This results in a loss of connectivity because the MTU for the physical NIC and virtual NIC do not match. By configuring the MTU in the system uplink port profile, it is preserved through ESX reboots on physical NICS attached to the Cisco Nexus 1000V.

For information about configuring MTU in the system port profile, see the Cisco Nexus 1000V Port Profile Configuration Guide, Release 4.0(4)SV1(3).

GUI Configuration Set Up

A GUI is provided for initial configuration of the VSM after installing the software. The GUI streamlines your configuration of the following:

•Creating the SVS connection between the VSM and vCenter Server, and the resulting connection to the DVS.

•Creating the following VMware port group and VLANs:

–Control

–Packet

–Management

•Enabling Secure Shell (SSH) and configuring an SSH connection.

•Creating a Cisco Nexus 1000V plug-in and registering it on the vCenter Server.

•Powering off and then restarting the VSM.

•Configuring Layer 3 control.

•Configuring VSM high-availability.

For more information, see theCisco Nexus 1000V System Management Configuration Guide, Release 4.0(4)SV1(3).

ERSPAN Type-III Format

The ERSPAN Type-III header frame is an extended format that supports key fields useful for applications such as network management, intrusion detection, and lawful intercept. This header frame is particularly useful in applications where information about the original parameters of the mirrored frame, including those not present in the original frame itself, is required.

Vmotion of VSM

Vmotion of VSM has the following limitations and restrictions:

Vmotion of a VSM is supported for both the active and standby VSM VMs. For high availability, it is recommended that the active VSM and standby VSM reside on separate hosts. To achieve this, and prevent a host failure resulting in the loss of both the active and standby VSM, it is recommended that distributed resource scheduling (DRS) be disabled for both the active and standby VSMs.

If you do not disable DRS, then you must use the VMware anti-affinity rules to ensure that the two virtual machines are never on the same host, and that a host failure cannot result in the loss of both the active and standby VSM.

•VMware Vmotion does not complete when using an open virtual appliance (OVA) VSM deployment if the ISO is still mounted. To complete the Vmotion, either click Edit Settings on the VM to disconnect the mounted ISO, or power off the VM. No functional impact results from this limitation.

VMware Lab Manager

VMware Lab Manager does not support using the Cisco Nexus 1000V.

Virtual Service Domain

The Virtual Service Domain (VSD) has the following limitations and restrictions:

•Vmotion is not supported for the service virtual machine (SVM) and should be disabled.

•To prevent loops in the network, configure the following before assigning an SVM to a port profile on the vCenter Server:

–Inside port

–Outside port

–VSD

•To prevent it from flooding the network with packets, make sure to configure the inside or outside VSD port profile with a service port.

•To prevent loops in the network, when making any changes to the SVM port profile, do the following:

–First shut down the SVM.

–Make the changes to the SVM port profile.

–Verify that the changes to the SVM port profile were applied.

–Restart the SVM.

•You must remove the control and packet VLANs from the allowed VLAN lists for an inside or outside VSD port profile, such as that used for Vshield.

For more information about VSD, see the Cisco Nexus 1000V Security Configuration Guide, Release 4.0(4)SV1(3).

Upgrade

Upgrading the software has the following limitations and restrictions:

•After the VSM feature support level is upgraded to support features in the new release, you cannot downgrade it again to a previous release.

•Connectivity to the VSM can be lost during a VEM upgrade when the VSM VM interfaces connect to its own DVS.

•Connectivity between the active and standby VSM can be lost during a VEM upgrade when the VEM that is being upgraded provides interface connectivity to one of the VSMs in the pair. In this case, both VSMs become active and lose connectivity. Use the following workaround:

–Power off the VSM that is connected to the VEM.

–Manually upgrade the VEM that provides interface connectivity to one VSM in the pair.

•If you use a proxy server to connect VMware Update Manager (VUM) to the Internet, you may need to disable the proxy before starting a VUM upgrade of your VEMs. In the VMware versions before VUM Update 1, the proxy prevents VUM from communicating locally with the VSM. Automatic VEM upgrades may fail if the proxy is not disabled first.

For more information about upgrades, see the Cisco Nexus 1000V Software Upgrade Guide, Release 4.0(4)SV1(3).

Access Lists

ACLs have the following limitations and restrictions:

Limitations:

•IPV6 ACL rules are not supported.

•VLAN-based ACLs (VACLs) are not supported.

•ACLs are not supported on port channels.

Restrictions:

•IP ACL rules do not support the following:

–fragments option

–addressgroup option

–portgroup option

–interface ranges

•Control VLAN traffic between the VSM and VEM does not go through ACL processing.

NetFlow

The NetFlow configuration has the following support, limitations, and restrictions:

•Layer 2 match fields are not supported.

•NetFlow Sampler is not supported.

•NetFlow Exporter format V9 is supported

•NetFlow Exporter format V5 is not supported.

•Multicast traffic type is not supported. Cache entries are created for multicast packets, but the packet/byte count does not reflect replicated packets.

•NetFlow is not supported on port channels.

The NetFlow cache table has the following limitation:

•Immediate and permanent cache types are not supported.

Note The cache size that is configured using the CLI defines the number of entries, not the size in bytes. The configured entries are allocated for each processor in the ESX host and the total memory allocated depends on the number of processors.

Port Security

Port security has the following support, limitations, and restrictions:

•Port security is enabled globally by default. The feature/no feature port-security command is not supported.

•In response to a security violation, you can shut down the port.

•The port security violation actions that are supported on a secure port are Shutdown and Protect. The Restrict violation action is not supported.

•Port security is not supported on the PVLAN promiscuous ports.

Port Profile

Port profiles have the following restrictions or limitations:

•If you attempt to remove a port profile that is in use, that is, one that has already been auto-assigned to an interface, the Cisco Nexus 1000V generates an error message and does not allow the removal.

•When you remove a port profile that is mapped to a VMware port group, the associated port group and settings within the vCenter Server are also removed.

•Policy names are not checked against the policy database when ACL/NetFlow policies are applied through the port profile. It is possible to apply a nonexistent policy.

Telnet Enabled by Default

The Telnet server is enabled by default.

For more information about Telnet, see the Cisco Nexus 1000V Security Configuration Guide, Release 4.0(4)SV1(3).

SSH Support

Only SSH version 2 (SSHv2) is supported.

For more information, see the Cisco Nexus 1000V Security Configuration Guide, Release 4.0(4)SV1(3).

Cisco NX-OS Commands May Differ from Cisco IOS

Be aware that the Cisco NX-OS CLI commands and modes may differ from those used in the Cisco IOS software.

No Spanning Tree Protocol

The Cisco Nexus 1000V forwarding logic is designed to prevent network loops so it does not need to use the Spanning Tree Protocol. Packets that are received from the network on any link connecting the host to the network are not forwarded back to the network by the Cisco Nexus 1000V.

MAC Address Table

In the MAC address table, the forwarding table for each VLAN in a VEM can store up to 1024 MAC addresses.

Cisco Discovery Protocol

CDP runs on all Cisco-manufactured equipment over the data link layer and does the following:

•Advertises information to all attached Cisco devices.

•Discovers and views information about those Cisco devices.

–CDP can discover up to 256 neighbors per port if the port is connected to a hub with 256 connections.

If disabled globally, then CDP is also disabled for all interfaces.

For more information about the Cisco Discovery Protocol, see the Cisco Nexus 1000V System Management Configuration Guide, Release 4.0(4)SV1(3).

DHCP Not Supported for the Management IP

DHCP is not supported for the management IP. The management IP must be configured statically.

LACP

The Link Aggregation Control Protocol (LACP) is an IEEE standard protocol that aggregates Ethernet links into an EtherChannel.

Cisco Nexus 1000V has the following restrictions for enabling LACP on ports carrying the Control and Packet VLANs:

Note These restrictions do not apply to other data ports using LACP.

•At least two ports must be configured as part of the LACP channel.

•The upstream switch ports must be configured in spanning-tree portfast mode. The LACP negotiation causes upstream switch ports to bounce, as per protocol, before starting the port aggregation process.

Without spanning-tree portfast on upstream switch ports, it takes approximately 30 seconds to recover these ports on the upstream switch. Because these ports are carrying control and packet VLANs, VSM loses connectivity to the VEM.

The following commands are available to use on Cisco upstream switch ports in interface configuration mode:

spanning-tree portfast

spanning-tree portfast trunk

spanning-tree portfast edge trunk

MTU Mismatch After ESX Reboot

If you use an MTU other than 1500 (the default) for a physical NIC attached to the Cisco Nexus 1000V, then reboots of the ESX can result in a mismatch with the VMware kernel NIC and failure of the VSM and VEM. For example, in networks that use jumbo frames, you may manually configure an MTU of other than 1500. During a power cycle, the ESX reboots and the MTU of the physical NIC reverts to the default of 1500 but the VMware kernel NIC does not. To prevent this mismatch and preserve the MTU for the physical NIC across reboots of the ESX, you must configure the system MTU in the system port profile.

For information about configuring MTU in the system port profile, see the Cisco Nexus 1000V Port Profile Configuration Guide, Release 4.0(4)SV1(3).

For information about recovering from a loss of connectivity due to an MTU mismatch, see the Cisco Nexus 1000V Troubleshooting Guide, Release 4.0(4)SV1(3).

Obtaining Documentation and Submitting a Service Request

For information about obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.

This document is to be used in conjunction with the documents listed in the "Available Documents" section.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Internet Protocol (IP) addresses and phone numbers that are used in the examples, command display output, and figures within this document are for illustration only. If an actual IP address or phone number appears in this document, it is coincidental.